What are CVE-2025–53770 and CVE-2025–53771?
These are vulnerabilities affecting on-premises SharePoint Servers that are actively being exploited. Microsoft has released security updates to fully protect customers using all supported versions of SharePoint affected by these CVEs.
Customers should apply these updates immediately.
Which SharePoint versions are affected by these vulnerabilities?
On-premises SharePoint Servers, specifically:
SharePoint Server Subscription Edition
SharePoint 2019
SharePoint 2016
SharePoint Online in Microsoft 365 is not impacted.
What are the immediate actions customers should take to protect their environments?
Apply the latest security updates provided by Microsoft for CVE-2025–53770 and CVE-2025–53771:
Microsoft SharePoint Server Subscription Edition:
Microsoft SharePoint Server 2019:
Microsoft SharePoint Server 2016:
Updates are cumulative, so applying the latest ones will cover previous patches.
What are the recommended security measures beyond applying updates?
In addition to applying security updates, Microsoft recommends the following:
Use supported SharePoint versions: Ensure your on-premises SharePoint Server is a supported version (2016, 2019, or Subscription Edition).
Enable AMSI: Configure and enable the Antimalware Scan Interface (AMSI), preferably with HTTP Request Body scanning in Full Mode, and deploy Microsoft Defender Antivirus on all SharePoint servers.
Deploy Microsoft Defender for Endpoint: Implement Microsoft Defender for Endpoint or an equivalent threat solution to detect and block post-exploit activity.
Rotate ASP.NET machine keys: After applying updates or enabling AMSI, rotate SharePoint Server ASP.NET machine keys and restart IIS on all SharePoint servers.
Consider disconnecting the server from the Internet or use VPN or an authenticated proxy if you cannot enable AMSI.
What is the significance of rotating SharePoint Server ASP.NET machine keys?
Rotating SharePoint Server ASP.NET machine keys is critical because if an attacker compromises a server before the security updates are applied, they might be able to exfiltrate the machine keys. These keys can then be used to craft malicious payloads that would appear legitimate, even after the updates are installed. Rotating the keys ensures that any compromised keys are invalidated, enhancing overall security. This should be done via PowerShell commands and followed by an IIS restart on all SharePoint servers.
Are there specific queries or indicators administrators can use for advanced threat hunting in their environment?
Microsoft has provided two sample queries that administrators can run in the Microsoft 365 Defender (Microsoft 365 Security Center) to identify potential exploitation activity:
Go to Advanced Hunting → Query.
Set Your Time Range.
Detects the creation of a file named spinstall0.aspx, indicating successful post-exploitation of CVE-2025–53770.
DeviceFileEventsDeviceFileEvents
| where FolderPath has_any (@'microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS', @'microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS')
| where FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp descIdentify when w3w.exe (the IIS worker process) spawns encoded PowerShell commands that involve the spinstall0 file or the known file paths where it has been observed to be written.
DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode has_any ("spinstall0", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS')Where can I find more detailed information and threat intelligence?
Official Sources: